A Debian wifi router

The search of a living space has been over for over a month now and I’m more or less settled in. I had a bad experience with my previous landlord keeping my wireless router (an Asus AC-RT68U) cos he’s a fucking asshole so I decided to give this a shot. I’m actively trying to solve money now so it really wasn’t an option to just buy another one as my living costs are now much, much higher.

I’ve hoarded a bit of equipment so I did have a couple of computers available to me. With a bit of looking I found about hostapd and I got it to work more or less reliably on a Thinkpad X220 with an Intel Centrino chipset using the iwlwifi driver. The real problem started when I tried using my older Thinkpad T60 laptop for the same task. Mine has an Intel PRO/Wireless 3945ABG [Golan] chipset also using the iwlwifi driver but the crucial difference was that this chipset doesn’t support Master mode, so you can’t use it with hostapd to enable an AP. Looked around for a bit and tried using this Archer T2UH from Amazon but the support on Linux is a fucking joke, basically; they actually want you to compile the drivers from scratch to get everything going. Ended up with an Ubiquiti Networks SR71-C card using the ath9k chipset. I tried setting it up using the already-installed environment but I couldn’t get it work so I basically reinstalled everything from scratch to start fresh.

I pieced this together from instructions found on the Debian Wiki, this guide from Ars Technica on building your own router, hostapd documentation, and a whole host of blog posts detailing how to pull this off, most of them with information easy to mess up.

As it is right now I’m typing this up on a Windows 10 system connected to the laptop and the signal and throughput are good enough for extended sessions playing Unreal Tournament pre-alpha.

Install Operating System

Installed Debian Stable fresh on the system with no desktop environment. This computer will now be a router so we don’t need any kind of desktop environment. Most desktop environments now require NetworkManager or wicd to manage network connectivity and I wanted to avoid all that crap. It just makes things more complicated for something that will be complicated enough already. I used the netinst install media with the laptop connected to ISP through Ethernet and getting an IP address through DHCP, so I didn’t have to fiddle with any PPPoE clients to get online and install the stuff required.

# aptitude update
# aptitude install hostapd bridge-utils isc-dhcp-server bind9 rfkill vbetool vim-runtime vim-goodies tmux

Enable Wifi Adapter

For some weird and lame reason Debian didn’t enable the adapter after installation, so it has to be setup manually. These instructions are based on the Debian Wiki. Atheros card is wlan0 while built-in Intel adapter is wlan1.

# ip a
# rfkill unblock all
# iwconfig
# ip link set wlan0 up
# iwlist scan

The card scanned for networks around so it was working.

Edit /etc/network/interfaces so the WLAN interface doesn’t wait for an IP address. If you don’t do this it turns out the OS stops booting until it gets bored of waiting for an IP address.

auto wlan0
iface wlan0 inet static
    wireless-mode Master

You can use whatever IP address (like but make sure the same subnet is used throughout the entire configuration. I went with cos that’s what I like my networks to be on.

Configure iptables

Edit /etc/sysctl.conf and uncomment the line for IPV4 packet forwarding:


Create /etc/network/if-pre-up.d/iptables with the following contents

/sbin/iptables-restore < /etc/network/iptables


# sudo chown root /etc/network/if-pre-up.d/iptables ; chmod 755 /etc/network/if-pre-up.d/iptables

Create /etc/network/iptables and put the following in it:

# eth0 is WAN interface



# Forward traffic from wlan0 (LAN) to eth0(WAN)
-A FORWARD -i wlan0 -o eth0 -j ACCEPT

# Service rules

# Forwarding rules


At this point iptables will simply pass along all the traffic that his the computer. I’ve since changed my configuration but this is a starting point as I just wanted to get online at this point. iptables rules are a pain in the ass to type.

Configure DHCP

Edit /etc/dhcp/dhcpd.conf and add the following at the end of the file:

subnet netmask {
option routers;
option domain-name-servers;
option broadcast-address;

Configure DNS

BIND works out of the box, thankfully enough.

Configure hostapd

Create and edit /etc/hostapd/hostapd.conf and put the following in it:

# SSID on 5GHz band

# Radar an' stuff

# 802.11n goodness

# wpa


The ht_capab are the ones I’ve found work with the SR71-C card. I’ll keep playing with them.

At this point everything looked good and rebooted. I actually rebooted a whole bunch of times as I kept prodding and poking stuff every step of the way but I guess it all could be done in one go and just reboot at the end.

Actually be a Wifi Router

After rebooting do

$ sudo hostapd /etc/hostapd/hostapd.conf

Runs with the SSID, picks a channel, and starts the laptop as an AP. iptables is routing traffic from one interface to another, ISC DHCP gives out IP addresses and BIND does DNS. I did run into an issue where wlan0 kept sending out DHCP requests to which dhcpd would successfully assign a new IP address for wlan0. I got lazy and just set a static IP for the mac address of the interface on dhcp.conf. I’ll fix it… eventually.

There’s also the issue of tuning the kernel, firewall and a lot of other stuff since the computer is a single-purpose device rather than a multi-user computer. Most of the documentation I can find is for systems handling traffic at internet scale that would be overkill, so a lot of documentation will be read and a ton of adjustments made.

There will be also a lot of adjustments to hostapd itself to maximize throughput and signal stability. The SRC71C card only does 802.11n but the bitrate on this standard maxes out depending on the blue of the sky, the stage of the moon, how hot the dumpster fires are on twitter and how pissed off the boss is at work.

From what I’m getting this is relatively new stuff when it comes to DIY. People were doing this in the past but was way more costly (like this sweet setup right here). I’m doing this on the cheap and it seems to be working well enough.

nginx + hhvm, continued

So after my last post on this, HHVM stopped working again, making nginx give a 502 as usual.

This time, a comment on a forum (who knows which, I looked at a lot of pages) gave me a little snippet that helped me pinpoint the issue:
# netstat -plunt | grep hhvm

This should have told me that HHVM was listening on a TCP port (since that’s what the default for HHVM is). But netstat reported nothing. After checking my configuration, I had forgotten that I had iptables drop all traffic to 127/8 that doesn’t use loopback. Here’s the snippet I use in my iptables configuration file

Commented the line out, imported the new ruleset into iptables and iptables didn’t block traffic sent from nginx to HHVM anymore, letting everything work as is supposed to.

Now I’m hoping it doesn’t die again due to some other reason. This was really annoying.